Those who would mount attacks on Internet websites or addresses typically falsify the source addresses (origins) of the packets they send in their attacks. There is, therefore, a need for a reliable attribution method to identify the addresses of machines that might actually have originated an attack packet once it arrives at a victim site. As all the machines connected to a hub in a Local Area Network (LAN) may be indistinguishable from one another as the potential origins of a packet, we may be only able to determine a set of addresses that contain the actual origin. This result, however, may still be very useful to those attempting to track the origin of an identified data packet.
A packet is a basic unit of communication over a digital network. A packet is also called a datagram, a segment, a block, a cell or a frame, depending on the protocol. When data has to be transmitted, it is broken down into similar structures of data, which are reassembled to the original data chunk once they reach their destination.
Packets vary in structure depending on the protocols implementing them. VoIP uses the IP protocol, and hence IP packets. On an Ethernet network, for example, data is transmitted in Ethernet frames. The structure of a packet depends on the type of packet it is and on the protocol. Normally, a packet has a header and a payload. The header keeps overhead information about the packet, the service and other transmission-related things. For example, an IP packet includes                The source IP address        The destination IP address        The sequence number of the packets        The type of service        Flags        The payload is the data it carries.        
Most network data transmission technologies use packets to transmit data from a source device to destination. The IP protocol is no exception. IP packets are the most important and fundamental components of the protocol. The two main functions of the IP protocol are routing and addressing. To route packets to and from machines on a network, this protocol uses IP addresses which are carried along in the packets. A lot of other information is also carried along in the packet header. An identification tag is used to help reassemble the packet from several fragments, if the packet has been fragmented. The fragmented flag indicates whether the packet can be fragmented or not. The fragment offset is a field to identify which fragment this packet is attached to. Time to Live (TTL) is a number that indicates how many hops (router passes) the packet can make before it dies. This is done to prevent a packet from remaining forever on a network, thus causing congestion. TTL is decremented at each hop. The header checksum is a number used for error detection and correction during packet transmission. The data payload can be up to 64 Kilobytes, which is huge compared to the totality of the header bits.
A variation of this problem is to identify the IP packet from an incomplete description of its properties, and then find the true origin of that packet. This is a useful variation of the problem in practice because it may not always be reasonable to expect trackers to have the actual IP packet. It is far more likely that a tracker will know specific properties of the attack. For example, a tracker might be expected to know information such as the time of the attack, the IP address of the machine that was the victim, perhaps the port of the machine and the type of packet (protocol) involved. The present invention attempts to solve these problems by development of a series of cooperating information sources that can reliably report whether or not an identified data packet has passed through the source at a point in time. Various types of systems have been developed for identifying the origin of data streams under a variety of differing conditions, incorporating a number of different technologies.
U.S. Pat. No. 6,822,971 issued to Mikkonen discloses a module, and associated method, that is engageable with a data terminal. The module includes a storage element for storing an identifier address, used to identify the origin of a packet of data. The module can be released out of positioning at a first data terminal and thereafter utilized at a second data terminal. Thereby, mobility of communications is increased as a user of successive data terminals can identify each successive data terminal with the same identifier.
U.S. Pat. No. 5,798,706 issued to Kraemer et al. describes a back door packet communication between a workstation on a network and a device outside the network that is identified by detecting packets that are associated with communication involving devices outside the network, and identifying packets, among those detected packets, that are being sent or received by a device that is not authorized for communication with devices outside the network.
U.S. Pat. No. 6,279,113, issued to Vaidya discloses a signature based dynamic network intrusion detection system (IDS) includes attack signature profiles which are descriptive of characteristics of known network security violations. The attack signature profiles are organized into sets of attack signature profiles according to security requirements of network objects on a network. Each network object is assigned a set of attack signature profiles which is stored in a signature profile memory together with association data indicative of which sets of attack signature profiles correspond to which network objects. A monitoring device monitors network traffic for data addressed to the network objects. Upon detecting a data packet addressed to one of the network objects, packet information is extracted from the data packet. The extracted information is utilized to obtain a set of attack signature profiles corresponding to the network object based on the association data. A virtual processor executes instructions associated with attack signature profiles to determine if the packet is associated with a known network security violation. An attack signature profile generator is utilized to generate additional attack signature profiles configured for processing by the virtual processor in the absence of any corresponding modification of the virtual processor.
U.S. Pat. No. 6,088,804 issued to Hill et al. describes a dynamic network security system that responds to security attacks on a computer network having a multiplicity of computer nodes. The security system includes a plurality of security agents that concurrently detect occurrences of security events on associated computer nodes. A processor processes the security events that are received from the security agents to form an attack signature of the attack. A network status display displays multi-dimensional attack status information representing the attack in a two dimensional image to indicate the overall nature and severity of the attack. The network status display also includes a list of recommended actions for mitigating the attack. The security system is adapted to respond to a subsequent attack that has a subsequent signature most closely resembling the attack signature.
U.S. Pat. No. 6,301,668 to Gleichauf et al. discloses a method and system for adaptive network security using network vulnerability assessment. The method comprises directing a request onto a network. A response to the request is assessed to discover network information. A plurality of analysis tasks are prioritized based upon the network information. The plurality of analysis tasks are to be performed on monitored network data traffic in order to identify attacks upon the network.
United States Patent Application Publication No. 2002/0165957 to Devoe et al. discloses a method for building a network route map in which network operational characteristics are gathered by actively probing multiple network routes, and building the network route map based on the operational characteristics. Route maps are generated which provide a view of the network from the perspective of a particular routing device in the network. Embodiments include methods for gathering the operational data by transmitting one or more data packets, receiving responses thereto, and determining time differentials based on the responses. Other embodiments include methods for processing the operational data to determine various metrics, and normalizing the data with similar data gathered from other network route probes. Finally, additional embodiments include propagation of the preferred route information to multiple routing devices to provide intelligent route selection thereto.
United States Patent Application Publication No. 2003/0097439 to Strayer et al. discloses a traffic auditor (130) analyzes traffic in a communications network (100). The traffic auditor (130) performs traffic analysis on traffic in the communications network (100) and develops a model of expected traffic behavior based on the traffic analysis. The traffic auditor (130) analyzes traffic in the communications network (100) to identify a deviation from the expected traffic behavior model. This invention requires the interposition of collection agents within the network to collect traffic data. It does not depend upon traffic reports from any locations. Compare FIG. 1 of the instant invention with FIG. 2 of the '439 publication.
In fact, the Strayer invention is complex: its devices must be properly placed and connected to the network; and its steps must be performed in specific sequence for it to work.
The process is described in FIGS. 7A-15 and paragraphs [0105]-[0123]. The Strayer process starts with mathematical traffic analysis and includes complex data encoding and analysis. See paragraphs [0041]-[0104]. This process continues with, inter alia, filtering out of expected traffic and querying of anomalous traffic. In contrast, the instant invention includes no complicated calculations and simply places information in a look up table for use later on, if desired.
U.S. Pat. No. 7,814,546 to Strayer, et al. discloses a system and method for determining the point of entry of a malicious packet into a network. An intrusion detection system detects entry of the malicious packet into the network (500). A stepping stone detection system identifies stepping stones in extended connections within the network (524). A trace back engine isolates the malicious packet in response to operation of the intrusion detection system (528), wherein the trace back engine utilizes the identified stepping stones to determine the point of entry of the malicious packet.
This patent allows for installation of Data Generation Agents (DGA 410) on each router (405). The DGA (410) produces packet digests of each packet as they are forwarded through the router (405) and stores the digests in time-stamped digest tables. The tables are paged or refreshed every so often, and represent the set of traffic forwarded by the router for a particular interval of time. Each table is annotated with the time interval and the set of hash functions used to compute the packet digests over that interval. The digest tables are stored locally at the DGA (410) for some period of time, depending on the resource constraints of the router. Strayer's invention traces a packet from the end point in a network, and traces that packet back through the path it took one hop at a time to get to the origin. The present invention does not require DGAs at all routers. In the present invention, cooperating routers could be few in number and sparsely distributed through a large network, and the method would still compute a set of possible origin addresses.
Strayer's invention actually traces back traffic for a short time after the packet is seen. Accordingly, DGAs maintain logs that might be thrown away quickly. In the present invention, cooperating nodes in the network maintain packet digests for arbitrarily long. In addition, installation of DGAs (410) on a router does not mean “cooperating”. A malicious person could install a DGA (410) on his router as well —meaning the traceback system could be badly misled by trusting data from that router. In the present invention, “cooperating”routers are trusted to maintain valid and accurate packet digests for arbitrarily long periods of time.
United States Patent Application Publication No. 2003/0115485 to Milliken discloses a system (126-129) for detecting transmission of potentially malicious packets. The system (126-129) receives packets and generates hash values corresponding to each of the packets. The system (126-129) may then compare the generated hash values to hash values corresponding to prior packets. The system (126-129) determines that one of the packets is a potentially malicious packet when the generated hash value corresponding to the one packet matches one of the hash values corresponding to one of the prior packets and the one prior packet was received within a predetermined amount of time of the one packet. The system (126-129) may also facilitate the tracing of the path taken by a potentially malicious packet. In this case, the system (126-129) may receive a message that identifies a potentially malicious packet, generate hash values from the potentially malicious packet, and determine whether one or more of the generated hash values match hash values corresponding to previously-received packets. The system (126-129) may then identify the potentially malicious packet as one of the previously-received packets when one or more of the generated hash values match the hash value corresponding to the one previously-received packet.
U.S. Pat. No. 7,814,546 discloses a system and method for determining the point of entry of a malicious packet into a network is disclosed. An intrusion detection system detects entry of the malicious packet into the network (500). A stepping stone detection system identifies stepping stones in extended connections within the network (524). A trace back engine isolates the malicious packet in response to operation of the intrusion detection system (528), wherein the trace back engine utilizes the identified stepping stones to determine the point of entry of the malicious packet.
U.S. Pat. No. 6,981,158 to Sanchez discloses system and method for performing source path isolation in a network. The system comprises an intrusion detection system (IDS), a source path isolation server (SS1) and at least one router configured to operate as a source path isolation router (SR1) operating within an autonomous system. When IDS detects a malicious packet, a message is sent to SS1. SS1 in turn generates a query message (QM) containing at least a portion of the malicious packet. Then, QM is sent to participating routers located one hop away. SR1 uses the query message to determine if it has observed the malicious packet by comparing it with locally stored information about packets having passed through SR1. SR1 sends a reply to SS1, and SS1 uses the reply to identify the ingress point into the network of the malicious packet. Sanchez does not teach a plurality of non-cooperating locations on the network. On FIG. 4, the Node Response column for Nodes 03 and n is in response to the question shown at 410, namely, “Did SR see Target Packet? Either possible response requires a cooperating network element.
The primary objective of the present invention is to provide a system that will allow users to identify the source of an identified data packet or packet stream at any point in time. In this way, a source of unwanted packets that are potentially harmful to a given destination may be prevented from sending the unwanted packets or the packet stream avoided. A secondary objective is to develop the system as a service utility that can utilize information obtained from a cooperating community to broaden and strengthen the integrity of the network in which it operates and to make it more difficult for untrusted sources to send unwanted data packets to destination sites. A further objective is to provide these capabilities and services without requiring modifications to existing router hardware.